PUA - Sysinternal Tool Execution - Registry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
Sigma rule (View on GitHub)
1title: PUA - Sysinternal Tool Execution - Registry
2id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
3status: test
4description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
5references:
6 - https://twitter.com/Moti_B/status/1008587936735035392
7author: Markus Neis
8date: 2017/08/28
9modified: 2023/02/07
10tags:
11 - attack.resource_development
12 - attack.t1588.002
13logsource:
14 product: windows
15 category: registry_add
16detection:
17 selection:
18 EventType: CreateKey
19 TargetObject|endswith: '\EulaAccepted'
20 condition: selection
21falsepositives:
22 - Legitimate use of SysInternals tools
23 - Programs that use the same Registry Key
24level: low
References
Related rules
- PUA - Sysinternals Tools Execution - Registry
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Suspicious Keyboard Layout Load
- Usage of Renamed Sysinternals Tools - RegistrySet
- Renamed SysInternals DebugView Execution